Hello, this email brought me to finally implement what I wanted to do for two months already: Implementing a decent linux iptables ruleset for ntp. Weapon of choice: the recent module to avoid having to manually blacklist clients.
After setting a rule that blocked all packets from clients that send 9 or more packets in 10 seconds, I noticed that about 2-3% of all packets were filtered out, with about 120 clients affected in 15 minutes. Did I accidently filter out normal packages, like the bursts when a client initializes? What are normal package rates? I have set it to 9 packages in 5 seconds now and the numbers look a lot more decent, with only 5 clients filtered in 15 minutes. Any further suggestions about filtering misbehaving clients? Regards, Daniel On Tue, 21 Aug 2012 01:51:10 -0400, AlbyVA <[email protected]> wrote: > Break out the Firewall Filters if you are being abused with a DoS/DDoS > attack. > If that fails, call your ISP. They have network security on staff to help > address the > issue. > > > > > On Tue, Aug 21, 2012 at 1:45 AM, Hal Murray <[email protected]> > wrote: > >> >> [email protected] said: >> > I'm not sure if this client has a severe bug or is intentionally trying >> to >> > overload the server but I have been receiving an average of around 500 >> > packets per second from them for the last hour and a half with >> occasional >> > drops to about 350 pps. ... >> >> One possibility is that somebody is using NTP as a DDoS mechanism. >> >> NTP doesn't amplify much, but it's easy to forge the return address on >> UDP >> packets. >> >> >> >> >> -- >> These are my opinions. I hate spam. >> >> >> >> _______________________________________________ >> pool mailing list >> [email protected] >> http://lists.ntp.org/listinfo/pool >> _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
